Vast array of medical devices vulnerable to serious hacks, feds warn

Backdoors in defibrillators, ventilators, and other devices put patients at risk.

A vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks, federal officials have warned.

The devices, which also include ventilators, patient monitors, and surgical and anesthesia devices, contain hard-coded password vulnerabilities, according to an advisory issued Thursday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a liaison group between the US Department of Homeland Security and private industry. Attackers who know the default passwords of the devices can exploit these backdoors and change critical settings or replace the authorized firmware altogether.

The advisory came the same day that the Food and Drug Administration released its own notice on the same topic. Both warnings said there was no indication attacks were being carried out in the wild, and neither warning disclosed the affected device models or the manufacturers. But Terry McCorkle, one of the researchers who uncovered the vulnerabilities, said few if any are immune.

He declined to name specific companies or products. He went on to say no reverse engineering is required to acquire the device passwords.

"The affected devices have hard-coded passwords that can be used to permit privileged access to devices, such as passwords that would normally be used only by a service technician," the ICS-CERT warning stated. "In some devices, this access could allow critical settings or the device firmware to be modified."

Security concerns have risen over the past decade as more and more medical devices incorporate configurable computer systems that are susceptible to tampering by malicious hackers. The amount of damage that can be done is magnified because many pacemakers, insulin pumps, and other devices implanted in or attached to a patient's body can be remotely controlled using radio signals. Security researchers have proposed various measures to make unauthorized changes harder. The most effective way for manufacturers to prevent tampering is to remove backdoor accounts, followed by requiring all firmware to be digitally signed, McCorkle said.

Promoted Comments

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

Pacemakers are administered wirelessly now so there don't have to be wires sticking out of the patient or incisions every time then need to be adjusted. The issue here is these things are hard coded with known passwords, so a jackass hacker with a cellphone could sit in the same restaurant as you and play with your pacemaker, or turn it off.

Quote:

You watch too much CSI.

Sneak up behind him, stab him a few times. Dump knife.

Are you kidding? Police see a guy stabbed to death, they go find the person that stabbed them. Police see a guy who's pacemaker failed, and they assume it was natural causes. Now, everyone with a pacemaker doesn't need to be in constant fear for their life, but having hardcoded passwords in medical devices is nearing criminal negligence.

Until the day a someone hacks and publishes every piece of email Congressmen have exchanged with lobbyists, as well as their medical data and financial transactions we won't have a serious conversation about criminalizing assaults on privacy.

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

Are you saying as long as there's no internet connection it's not vulnerable to hacking? If so, is this true of insulin pumps, that, say, are remotely controlled by computers as far away as 300 feet and often require minimal amounts of authentication?

Until the day a someone hacks and publishes every piece of email Congressmen have exchanged with lobbyists, as well as their medical data and financial transactions we won't have a serious conversation about criminalizing assaults on privacy.

And I am sure if that happened Congress would only criminalize it for invading the privacy of a public servant.

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

Are you saying as long as there's no internet connection it's not vulnerable to hacking? If so, is this true of insulin pumps, that, say, are remotely controlled by computers as far away as 300 feet and often require minimal amounts of authentication?

And what are you saying? That a nefarious individual will hack a pacemaker or insulin pump to kill someone?

Why wouldn't they just kill in you in the regular way - bullet to the head with silencer? They are already there.

If they tampered with the pump there would be evidence. Especially when there is going to be an autopsy when something went wrong.

I don't think someone would do this, it's pretty far fetched. There are far more lethal ways to kill people for sure. Going forward maybe it might be a government mandate to provide X amount of security. To make it proof against idiots but if someone really really wants to kill you, there are better more thorough options.

And what are you saying? That a nefarious individual will hack a pacemaker or insulin pump to kill someone?

Why wouldn't they just kill in you in the regular way - bullet to the head with silencer? They are already there.

If they tampered with the pump there would be evidence. Especially when there is going to be an autopsy when something went wrong.

I don't think someone would do this, it's pretty far fetched. There are far more lethal ways to kill people for sure. Going forward maybe it might be a government mandate to provide X amount of security. To make it proof against idiots but if someone really really wants to kill you, there are better more thorough options.

OK, so you admit that the lack of Internet connectivity has nothing to do with whether a device will be hacked, yes?

And what are you saying? That a nefarious individual will hack a pacemaker or insulin pump to kill someone?

Why wouldn't they just kill in you in the regular way - bullet to the head with silencer? They are already there.

If they tampered with the pump there would be evidence. Especially when there is going to be an autopsy when something went wrong.

I don't think someone would do this, it's pretty far fetched. There are far more lethal ways to kill people for sure. Going forward maybe it might be a government mandate to provide X amount of security. To make it proof against idiots but if someone really really wants to kill you, there are better more thorough options.

OK, so you admit that the lack of Internet connectivity has nothing to do with whether a device will be hacked, yes?

You're the expert. Of course internet connectivity has nothing to do whether a device can be hacked. But if you have possession of the product it becomes moot don't you think? Why not just strangle beat shoot poison knife? If you are that close and you hack and kill the person with a massive spike of insulin, the questions of how this happened come don't you think? Having a hacking system, with the proper team to get this done isn't trivial. Why not just do it the old traditional methods that are simpler and easier and take far less tech, information, scouting, and equipment.

From a medical student's rather limited observations of medical devices, the majority of them at the moment aren't anywhere near the risk of being hacked per se, simply because most of them aren't wireless devices, nor have any real input/output beyond monitoring data transfers, (also, wireless pacemakers, pumps etc are far more expensive)

However, without developments, future devices will definitely be at risk.

If they tampered with the pump there would be evidence. Especially when there is going to be an autopsy when something went wrong.

What evidence? Sit behind them in the movie theater. *BEEP*Pacemaker/insulin pump/whatever goes crazy. They die. *BEEP*Reset pacemaker before paramedics arrive.

How detailed do you think the logs are on these things?

You watch too much CSI.

Sneak up behind him, stab him a few times. Dump knife.

Versus

Getting the pacemaker name, finding out the firmware, finding a weakness ahead of time, going into the theatre while applying the firmware, waiting for him to die without help and him knowing how to help himself, confirming death, and then resetting the firmware.

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

Pacemakers are administered wirelessly now so there don't have to be wires sticking out of the patient or incisions every time then need to be adjusted. The issue here is these things are hard coded with known passwords, so a jackass hacker with a cellphone could sit in the same restaurant as you and play with your pacemaker, or turn it off.

Quote:

You watch too much CSI.

Sneak up behind him, stab him a few times. Dump knife.

Are you kidding? Police see a guy stabbed to death, they go find the person that stabbed them. Police see a guy who's pacemaker failed, and they assume it was natural causes. Now, everyone with a pacemaker doesn't need to be in constant fear for their life, but having hardcoded passwords in medical devices is nearing criminal negligence.

From a medical student's rather limited observations of medical devices, the majority of them at the moment aren't anywhere near the risk of being hacked per se, simply because most of them aren't wireless devices, nor have any real input/output beyond monitoring data transfers, (also, wireless pacemakers, pumps etc are far more expensive)

However, without developments, future devices will definitely be at risk.

Not so much for the relatively legacy,devices in use today.

From the 6-years-ago observations of a software engineer configuring medical devices for remote access... there's a risk. True, most of them aren't wireless, but more-and-more of them are getting wired in to a computer, and that computer is on the hospital network, and the hospital network connects to the internet.

There are certainly easier ways to kill someone, and this certainly wouldn't be easy. But, with hard-wired passwords (dang, I can't remember the Phillips MP40 service password... but I'm pretty sure it's the same as the MP50's and the MP70's) it's perhaps easier than it should be.

From a medical student's rather limited observations of medical devices, the majority of them at the moment aren't anywhere near the risk of being hacked per se, simply because most of them aren't wireless devices, nor have any real input/output beyond monitoring data transfers, (also, wireless pacemakers, pumps etc are far more expensive)

However, without developments, future devices will definitely be at risk.

Not so much for the relatively legacy,devices in use today.

From the 6-years-ago observations of a software engineer configuring medical devices for remote access... there's a risk. True, most of them aren't wireless, but more-and-more of them are getting wired in to a computer, and that computer is on the hospital network, and the hospital network connects to the internet.

There are certainly easier ways to kill someone, and this certainly wouldn't be easy. But, with hard-wired passwords (dang, I can't remember the Phillips MP40 service password... but I'm pretty sure it's the same as the MP50's and the MP70's) it's perhaps easier than it should be.

I agree fully that newer machines and those planned would benefit from more advanced security than what is currently in place. Currently though, little to no administrative devices are linked to a hospital's network, like the Phillips devices yoive mentioned. (by administrative, I'm referring to drips, infusion pumps etc.) The only things that have any active connections are vitals monitors, which are hardly life-affecting. I know there are new devices, but most hospitals (except the fancy, expensove ones) use relatively old machines, since they work just as well.

Think there's just a general lack of concern for security in medical devices which needs to be addressed though. Definitely.

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

Pacemakers are administered wirelessly now so there don't have to be wires sticking out of the patient or incisions every time then need to be adjusted. The issue here is these things are hard coded with known passwords, so a jackass hacker with a cellphone could sit in the same restaurant as you and play with your pacemaker, or turn it off.

Quote:

You watch too much CSI.

Sneak up behind him, stab him a few times. Dump knife.

Are you kidding? Police see a guy stabbed to death, they go find the person that stabbed them. Police see a guy who's pacemaker failed, and they assume it was natural causes. Now, everyone with a pacemaker doesn't need to be in constant fear for their life, but having hardcoded passwords in medical devices is nearing criminal negligence.

Guy trying to kill some professionally? There are a million easier ways. Professionally how would police know to look for you. You will already be out of town by the time police come to the conclusion that it's a professional hit. One would have to be very high profile to lock down a city.

Cell phone hacking a pacemaker? Again too much CSI. One would have to make a pacemaker hack program, if you knew the firmware on the target, have a hack on a phone, somehow launch it within proximity, somehow reset the firmware.

Criminal Negligence? Really? How does the tech's service, doctors, people using the device get to the settings? Everyone have a hackproof password a 100 characters long of numbers letters and expressions changed weekly? how would anyone remember it? And would it make it hackproof from a professional anyways? Will there be daily updates and zero day exploits? It's as ridiculous as it sounds.

This does not surprise me. It's not hardware-related, specifically, however I did have a big EMR vendor want me to set the password to the default for a serial port server which hosted lab devices. I had it set to something randomly-generated, and it was too difficult for him to create a note for each different entity. It made me wonder what kind of shortcuts were being taken elsewhere. Thankfully the project was aborted after the corporate CIO left the company - which is good, because the EMR software was completely unreliable as used at the corporate location and the rest of IT there was really having a hard time understanding why we were migrating off our more reliable and more capable system we were on.

If it can be accessed via the internet, it can be hacked When will everyone realize that MOST things need to be offline to the internet. Seriously, how many times a month do you get updates to your PC to keep hackers from messing with your PC, and how long has that stopped people? Really, it's time to make a decision, everyone, do you want this device sabotaged, or do you want it safe? If you want it safe, remove the ability for it to be hacked. NO access to the internet.

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

Are you saying as long as there's no internet connection it's not vulnerable to hacking? If so, is this true of insulin pumps, that, say, are remotely controlled by computers as far away as 300 feet and often require minimal amounts of authentication?

I don't think hacked medical devices will be as big a target, because in addition to normal hacking charges which carry a rather stiff penalty, they can also get charged with murder. Not very smart.

Since when do murder charges stop anyone from murder? It still keeps happening, though I grant that medical devices would be a briefly low priority issue. Still, a hit man gets an order to kill somebody, he does his research, and lo-and-behold the guys has a remotely controllbable packe maker. Voila, hire a cheap hacker to send the right commands, and he no longer has to wipe the blood off his hands.

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

If they don't then my comment is moot. Thus, your comment is moot. I was NOT talking about the devices which are NOT addressable by the internet, but ones that are addressable, either directly or indirectly via a PC communicating with the pacemaker which is accessible from the internet.

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

They don't need internet access to get hacked. Just get within 20 to 100m with a laptop and they can be hacked / read with script kiddy tools or less (bluez, scapy are more than enough with bt 2.1+ and ble dongles). Some don't even have security (no passwords).

Hospitals , nursing homes and care centers (and home pc's) hook up pc's to the net then connect the devices to the pc's.

You forget the increasing number of devices with rf or bluetooth connections and bluetooth is not secure and neither are most of the proprietary radio protocols either and for non paired devices(i.e a lot of ble) you can read them easily.

Problem is its not just monitoring devices but drug delivery, pacemakers, also interfaces on wheelchairs and walkers and the security is incredibly poor !

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

Pacemakers are administered wirelessly now so there don't have to be wires sticking out of the patient or incisions every time then need to be adjusted. The issue here is these things are hard coded with known passwords, so a jackass hacker with a cellphone could sit in the same restaurant as you and play with your pacemaker, or turn it off.

Having a radio transmitter is not even close to the same as having the correct radio transmitter. There are many, many MHz of spectrum other than the (very small) slices that a smartphone can transmit and receive on.

All those people who are crying about backdoors need to get some time thinking about key distribution - when you are in a critical situation and walk into an ER, the doctor does not have time to fiddle with your device - it needs the settings NOW and it might need to change them right away.

Yes, as with everything, it is much easier to destroy something than to make it work reliably. How long does it take to spray-paint some graffiti and how long does it take to clean it? Or to break a window? Somehow I don't see many people with reinforced crystal windows.

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

Pacemakers are administered wirelessly now so there don't have to be wires sticking out of the patient or incisions every time then need to be adjusted. The issue here is these things are hard coded with known passwords, so a jackass hacker with a cellphone could sit in the same restaurant as you and play with your pacemaker, or turn it off.

Having a radio transmitter is not even close to the same as having the correct radio transmitter. There are many, many MHz of spectrum other than the (very small) slices that a smartphone can transmit and receive on.

YYou're saying things that are demonstrably false. I urge you to read research presented by Barnaby Jack at last year's Black Hat conference.

Huh? Pacemakers, defbrillators, deep brain stimulators, etc, are set up via hardwire during implantation. The pacer units are then checked via phone or by the use of an induction tranceiver in the docs office. If an "adjustment" is needed, it is done at that time, and the device is checked to ensure it is working. If someone's messed with the transceiver firmware, hopefully someone would catch it fairly quickly.

Just to head off any hysteria, pacers and defibrillators are implanted to correct chronic signal or intermittent signal imbalances that the patient had probably been living half their life with anyway. Suddenly shutting off a pacer or defibrillator isn't gonna make them drop dead.

Since the biggest sweat with device implantation is getting the leads properly placed and are permanent once they are, with the battery and pacing unit placed subcutaneously, it would be a 15 minute job to take the old unit out, attach the leads to a new one, set it's functions and stitch 'em up.

What's scary would be folks putting Stuxnet Junior in a hospital network to run amok on networked ventilators, power injectors for imaging, radiation therapy linear accelerators, CT scanners, to alter or shut them off, change rates of injection, change administered doses of radiation, etc.....

Let's see. They don't have internet access. If a wrongdoer has access to your pacemaker you are in trouble already. Such a bizarre thing to be concerned about, kind of just adds to the fear.

They don't need internet access to get hacked. Just get within 20 to 100m with a laptop and they can be hacked / read with script kiddy tools or less (bluez, scapy are more than enough with bt 2.1+ and ble dongles). Some don't even have security (no passwords).

Hospitals , nursing homes and care centers (and home pc's) hook up pc's to the net then connect the devices to the pc's.

You forget the increasing number of devices with rf or bluetooth connections and bluetooth is not secure and neither are most of the proprietary radio protocols either and for non paired devices(i.e a lot of ble) you can read them easily.

Problem is its not just monitoring devices but drug delivery, pacemakers, also interfaces on wheelchairs and walkers and the security is incredibly poor !

If it can be accessed via the internet, it can be hacked When will everyone realize that MOST things need to be offline to the internet. Seriously, how many times a month do you get updates to your PC to keep hackers from messing with your PC, and how long has that stopped people? Really, it's time to make a decision, everyone, do you want this device sabotaged, or do you want it safe? If you want it safe, remove the ability for it to be hacked. NO access to the internet.

To use email, you need internet access. The records desk uses email. The records desk needs access to the patient records. The patient record is updated by the patient monitoring system. The monitoring system is hooked up to the monitors. (Those last two bits was what I was programming 6 years ago.)

"Disconnected" isn't an option anymore. Using better security IS an option... well, not really an option; as this makes clear, now it should be requirement.

The choice isn't between "unplug everything" and "prepare to die". "Use some basic security" is all anyone is asking for.